Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 18 Next »


https://www.juniper.net/documentation/us/en/software/junos/vpn-ipsec/topics/topic-map/security-route-based-and-policy-based-vpns-with-nat-t.html

Old one:    https://www.juniper.net/documentation/en_US/junose15.1/topics/concept/nat-traversal-overview.html

IPsec VPN:  https://www.juniper.net/documentation/en_US/day-one-books/DO_IPsec_VPNs_2018.pdf


Payload encapsulation



Signalingin ISAKMP ( IKE phase1 )

https://www.rfc-editor.org/rfc/rfc3947





1st/2nd packet

in the 3rd and 4th packet


payload: NAT-Discovery


Compare the NAT-D ( IP@ + port)

with the packet received

2x NAT-D ( 1st= remote IP@/port and 2nd= local IP@/port)
>> solve the questions: direction and existance of NAT .
If both ends calculate those hashes and get same result, they know there is no NAT between.  
If the hashes do not match, somebody has translated the address or port.


NAT-T for IKE peer: NAT-T is used when there is a network device between the two tunnel end-points that enforce NAT.

all the IPSEC tunnerl to traverse the NATing equipement

Challenge:  Any changes to the IP addressing, which is the function of NAT, causes IKE to discard packets

Solution:  ESP over UDP/4500

After detecting one or more NAT devices ( by the firwall)  along the datapath during Phase 1 exchanges,

>> NAT-T adds a layer of User Datagram Protocol (UDP) encapsulation to IPsec packets so they are not discarded after address translation. 



edit security ike gateway gateway-name 


[edit security ike gateway IKE-GW1]

root@srx3200# set no-nat-traversal


  • No labels